On Tue, Jul 04, 2006 at 10:58:12AM -0500, Tim Yardley wrote:
> dbdef-create also seems to fix this issue some of the time, so it is
> probably a combination of problems.
>From what I can tell there isn't a combination of problems so much as
several very different problems getting mixed up because the symptoms
are similar.
If dbdef-create fixes the problem, there's not really anything left for
us to fix. Current (1.5.8 and HEAD) freeside-setup already runs the
equivalent after creating the schema. Any problems still being reported
that are fixed by dbdef-create or freeside-upgrade are probably from
folks trying to use old databases.
> The case that I ran into it, was under 7.4.x but I was able to
> resolve the issue with dbdef-create and some tweaking.
I've never run into this problem with 7.4, and I don't think it affects
8.0 either.
I'm unsure if there's still an outstanding issue with 8.1 that's not
fixed by
http://www.sisd.com/cgi-bin/viewcvs.cgi/freeside/FS/FS/Record.pm?r1=1.116&r2=1.117
The quality of error reporting from users on this issue has been pretty
dismal; if someone actually provided a good problem report that allowed
me (or an interested contributor) to duplicate the problem with
FREESIDE_1_5_BRANCH or HEAD, it would be far more likely to hold my
attention.
> In regards to the javascript, there are obviously a number of ways to
> fix the problem. Do keep in mind that the error message is being
> written out for tha javascript by mason from perl as a command to a
> javascript function itself, so I'm sure you meant that the perl should
> escape it for the javascript rather than the javascript itself.
Yes, I know. I wrote it. Patches appriciated far more than armchair
commentary. :)
> Without escaping or another solution present, in its current form it
> could be used for a type of XSS attack, assuming there is a place
> somewhere in freeside that the user input or configured error strings
> were tainted.
XSS "attacks" are overrated, and the threat of employees spoofing other
employees' browsers is not the same sort of threat as things like
privledge escallation or information exposure, but yes.
> Out of curiousity, has anyone done a security audit of freeside recently?
The software is developed with an very careful eye towards security (how
could it not be, considering its function?) and I wouldn't expect
serious problems with common webapp exploits like SQL injection, but
there hasn't been a formal security audit by a third party. Are you
interested in sponsoring this?
--
_ivan
> -----Original Message-----
> From: freeside-users-bounces at sisd.com> [mailto:freeside-users-bounces at sisd.com] On Behalf Of Ivan Kohler
> Sent: Monday, July 03, 2006 1:42 PM
> To: Freeside users mailing list
> Subject: Re: [freeside-users] New User Looking for version suggestions
>> On Tue, Jun 20, 2006 at 03:41:11PM -0500, Tim Yardley wrote:
> > Robert;
> >
> > I have also seen this error. Ivan's code "fix" mentioned as a reply
> to
> > the previous thread doesn't solve this problem... As you have already
> > seen. Looking in cvs, I don't see a fix in general for it... But I
> > could be missing it.
> >
> > The problem lies in this call:
> > my $default = $self->dbdef_table->column($primary_key)->default;
> >
> > Which on a fresh clean install will return the string "ERROR: null
> value
> > in column". This may be fixed in a number of ways, a manual insert
> into
> > the table which will then prime the sequence, for example.
> >
> > Ivan, do you have an approved workaround for this?
>> Sorry, nope. I haven't run into this problem myself. Seems to be only
> Pg 8.1 (8.0?). I'd be happy to apply any patches and make the fix
> "approved" if you or someone else wants to work on it, of course. :)
>> > Side note, any place that returned text is going to be leveraged by
> > javascript (in the little pop-up display for example), should not use
> an
> > apostrophe. If it does, it will break the javascript function call.
>> No - the javascript function that uses the text should escape it
> properly instead.
>> --
> _ivan
>>>> > -----Original Message-----
> > From: freeside-users-bounces at sisd.com> > [mailto:freeside-users-bounces at sisd.com] On Behalf Of Robert Smith
> > Sent: Tuesday, June 13, 2006 7:25 PM
> > To: Freeside users mailing list
> > Subject: Re: [freeside-users] New User Looking for version suggestions
> >
> > Sorry, should have mentioned I'd already read through the lists and
> had
> > tried that. I didn't use the Record.pm version there, but got the
> > latest that was posted. No change. (The latest version seemed to
> have
> > all of the same changes in it. I scanned it but did not read it line
> > for line.)
> >
> > Robert
> >
> > John wrote:
> >
> > >Sorry Robert, this may be closer to the mark-
> > >http://www.sisd.com/pipermail/freeside-users/2006-January/004961.html> > >
> > >
> > >
> > >
> > >
> > >
> > >>I'm trying to get Freeside running for the first time.
> > >>
> > >>Using FreeBSD 6
> > >>PostgreSQL 8.1 (Didn't disable OID's, so assume they are there.)
> > >>Freeside 1.5.8
> > >>Apache22
> > >>Perl 5.8.8
> > >>DBI 1.51
> > >>DBD-Pg-1.49
> > >>
> > >>Everytime I try to add the initial svc_domain, I get " (progress of
> > job
> > >>#can't parse queue.jobnum default value for sequence name: )"
> > >>
> > >>Any suggestions are welcome, to include a preferred list of versions
> > to
> > >>run on FreeBSD.
> > >>
> > >>Robert Smith
> > >>